b"September 15, 2010\n\nROSS PHILO\nCHIEF INFORMATION OFFICER AND EXECUTIVE VICE PRESIDENT\n\nSUBJECT: Audit Report \xe2\x80\x93 External Public Key Infrastructure Services \xe2\x80\x93\n         Fiscal Year 2010 (Report Number IS-AR-10-013)\n\nThis report presents the results of our audit of the U.S. Postal Service\xe2\x80\x99s external Public\nKey Infrastructure (PKI) services (Project Number 10RG014IT000). The objective was\nto determine whether the Postal Service effectively managed its external PKI services to\ncomply with established guidance. We performed this audit at the request of Postal\nService management to ensure that external PKI services continue to operate at a level\nto remain cross-certified with the U.S. Government\xe2\x80\x99s Federal Bridge Certification\nAuthority. See Appendix A for additional information about this audit.\n\nPKI is the combination of software, encryption technologies, processes, and services\nthat enables an organization to secure its communications and business transactions.\nPKI relies on the exchange of digital certificates between authenticated users and\ntrusted resources. The Certificate Policy is a written document that defines how an\norganization issues and uses certificates and the measures the organization uses to\nvalidate the subjects of the certificates.\n\nConclusion\n\nThe Postal Service generally managed its external PKI services in compliance with\nestablished guidance. However, we identified inconsistencies between the Postal\nService\xe2\x80\x99s Certificate Policy, Certification Practice Statements, and operations in the\nexternal PKI environment.\n\nPostal Service PKI Policies and Environment\n\nThere were       instances where the operations of the Postal Service\xe2\x80\x99s external\nenvironment did not conform to the requirements of the Certification Practice\nStatements. In addition, there were 12 instances of inconsistencies between the\nCertificate Policy and Certification Practice Statements. Postal Service personnel did\nnot perform periodic reviews of its external PKI operations and policies to ensure\nconformance. Inconsistencies may cause misinterpretation of PKI policies and delays in\nmaintaining cross-certification with the Federal Bridge Certification Authority. For\nexample, the roles and responsibilities memorandum did not contain the PKI auditor's\n\x0cExternal Public Key Infrastructure                                             IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\nrole as listed in the Certificate Policy and Root, Intermediate, and Subordinate\nCertification Practice Statements. See Appendix B for our detailed analysis of this topic.\n\nWhen brought to their attention, management took action to correct these identified\nissues. While we acknowledge management\xe2\x80\x99s timely action to resolve these issues, we\nare making a recommendation that should prevent similar issues in the future.\n\nWe recommend the chief information officer and executive vice president direct the\nmanager, Corporate Information Security, to:\n\n1. Develop procedures to ensure reviews of applicable policies and processes are\n   performed following changes to the Postal Service\xe2\x80\x99s external Public Key\n   Infrastructure environment.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the recommendation. Management will review the Federal\nPKI Policy Authority meeting minutes to determine if there are any policy changes and,\nif so, will update the Certificate Policy and Certification Practice Statements documents\nas required. Additionally, they will conduct a quarterly review of implemented changes\nto ensure consistency between the Certificate Policy, Certification Practice Statements,\nand operations of the external PKI environment. See Appendix C for management\xe2\x80\x99s\ncomments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General considers management\xe2\x80\x99s\ncomments responsive to the recommendation and the corrective action should resolve\nthe issues identified in the report.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, director,\nInformation Technology, or me at 703-248-2100.\n    E-Signed by Darrell E. Benjamin, Jr\n    VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Deborah J. Judy\n    Charles L. McGann, Jr.\n    Corporate Audit and Response Management\n\n\n\n\n                                            2\n\x0cExternal Public Key Infrastructure                                                                           IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\n\n                                  APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nPKI is the combination of software, encryption technologies, processes, and services\nthat enables an organization to secure its communications and business transactions.\nPKI relies on the exchange of digital certificates between authenticated users and\ntrusted resources. A Certification Authority is an essential component of the Microsoft\nPKI solution. In a Windows Server 2003 network, a Certification Authority is a Windows\nServer 2003 computer with Certificate Services installed. A Certification Authority issues\ncertificates to users, computers, and services and manages those certificates.\n\nTo support PKI-enabled applications, an organization must design and implement the\nCertification Authority hierarchy. Common roles in a Certification Authority hierarchy\ninclude a root, policy, and an issuing Certification Authority. The Postal Service\xe2\x80\x99s\nexternal PKI1 consists of a root, an intermediate, and two subordinate Certification\nAuthorities.\n\nThe Certificate Policy is a written document that defines how an organization issues and\nuses certificates and the measures the organization uses to validate the subjects of the\ncertificates. The Certificate Policy also includes the legal requirements an organization\nmust follow when using certificates that its PKI issues. The Certification Practice\nStatements is a statement of practices a Certification Authority uses to issue, revoke,\nand manage certificates. Different practice statements may exist on each Certification\nAuthority in the hierarchy based on the type of certificates the Certification Authority\nissues and to whom the Certification Authority issues them.\n\nHomeland Security Presidential Directive 12 established a federal policy2 to create and\nuse a government-wide secure and reliable form of identification for federal employees\nand contractors. Currently,\n                                                                       However, the\nFederal Information Processing Standard Publication 201 requires every Homeland\nSecurity Presidential Directive 12 credential the government issues to contain an\nexternal digital certificate. As a result, the Postal Service created a Certification\nAuthority server room\n                            that houses the external PKI environment. This environment\ncould authenticate and verify government-wide identification badges issued to Postal\nService employees and contractors.\n\nThe Federal Public Key Infrastructure Policy Authority is an interagency body\nestablished under the Chief Information Officers Council to enforce digital certificate\n\n1\n  The Postal Service refers to its policy Certification Authority as an intermediate Certification Authority and refers to\nits issuing Certification Authority as a subordinate Certification Authority.\n2\n  Policy for a Common Identification Standard for Federal Employees and Contractors, dated August 27, 2004.\n\n\n\n\n                                                             3\n\x0cExternal Public Key Infrastructure                                             IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\nstandards for trusted identity authentication across federal agencies and among federal\nagencies and outside bodies. The Federal Bridge Certification Authority is an\ninformation system that facilitates an entity accepting certificates issued by another\nentity for a transaction.\n\nIn support of Homeland Security Presidential Directive 12, the Federal Public Key\nInfrastructure Policy Authority approved the Postal Service\xe2\x80\x99s external PKI for cross-\ncertification in April 2008 at a        hardware level. The Federal Public Key\nInfrastructure Policy Authority requires a full and complete compliance audit of all\nmandatory criteria to serve as the baseline for the triennial audits. We conducted this\naudit to ensure the Postal Service\xe2\x80\x99s external PKI services continue to operate at a level\nto remain cross-certified with the Federal Bridge Certification Authority.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine whether the Postal Service effectively\nmanaged its external PKI services in compliance with established guidance. We\nconducted our work                                                    To accomplish the\nobjective, we evaluated whether:\n\n    \xef\x82\xa7   The Postal Service\xe2\x80\x99s Root, Intermediate, and Subordinate Certification Practice\n        Statements conformed to the Postal Service\xe2\x80\x99s Certificate Policy.\n\n    \xef\x82\xa7   PKI operations complied with requirements in the Root, Intermediate, and\n        Subordinate Certification Practice Statements.\n\nWe performed a compliance audit of all mandatory criteria as stated in the FPKIPA\nTriennial Compliance Audit Requirements. Mandatory criteria includes a review of all\nprocedures and controls; previous compliance audit findings for associated changes\nand corrective actions; and all changes to policies, procedures, personnel, and system\nand technical aspects since the previous compliance audit.\n\nWe used the following Postal Service policy documents as criteria to evaluate whether\nPKI policies conformed to PKI policies and whether PKI operations complied with PKI\npolicy:\n\n    \xef\x82\xa7   United States Postal Service Public Key Infrastructure (PKI) X.509 Certificate\n        Policy (CP), Version 1.68, dated March 8, 2010, last updated August 12, 2010.\n\n    \xef\x82\xa7   United States Postal Service Root Certification Authority (CA) Certification\n        Practice Statement (CPS), Version 1.20, dated March 8, 2010, last updated\n        August 12, 2010.\n\n\n\n\n                                             4\n\x0cExternal Public Key Infrastructure                                              IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\n    \xef\x82\xa7   United States Postal Service Intermediate Certification Authority (CA) Certification\n        Practice Statement (CPS), Version 1.20, dated March 8, 2010, last updated\n        August 12, 2010.\n\n    \xef\x82\xa7   United States Postal Service Subordinate Certification Authority (CA) Certification\n        Practice Statement (CPS), Version 1.20, dated March 8, 2010, last updated\n        August 12, 2010.\n\n        \xef\x82\xa7 Handbook        AS-805, Information Security, dated November 2009.\n\nTo validate conformance, we interviewed staff to discuss policies and compared\nstatements in the Certification Practice Statements to corresponding statements in the\nCertificate Policy to determine whether the statements were the same or different.\n\nTo validate operations, we observed operations and interviewed PKI personnel to\ndetermine if actual practices and procedures were as stated in the Certification Practice\nStatements.\n\nTo validate that management had taken corrective action on the FY 2009 PKI\ncompliance audit recommendation, we verified the status during fieldwork and\ndetermined that management implemented the recommendation.\n\nWe conducted this performance audit from February through September 2010 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective. We discussed our\nobservations and conclusions with management officials throughout the audit and on\nAugust 30, 2010, and included their comments where appropriate.\n\n\n\n\n                                               5\n\x0c     External Public Key Infrastructure                                                          IS-AR-10-013\n      Services \xe2\x80\x93 Fiscal Year 2010\n\n\n     PRIOR AUDIT COVERAGE\n\n                           Report         Final Report\n   Report Title            Number             Date Report                            Results\nCompliance Audit of      IS-AR-09-012       9/18/2009       The Postal Service was effectively managing its\nthe Postal Service\xe2\x80\x99s                                        PKI services in compliance with established\nExternal Public Key                                         guidance as stated in their Certificate Policy and\nInfrastructure                                              Certification Practice Statements. However, we\nServices                                                    identified and management corrected 10 instances\n                                                            of non-compliance between the Postal Service\xe2\x80\x99s\n                                                            PKI policies and its external PKI environment.\n                                                            Management agreed with our recommendation\n                                                            and stated they will review and compare the\n                                                            Certificate Policy and Certification PS documents\n                                                            for accuracy and consistency by February 2010.\n                                                            During the FY 2010 audit, we verified that\n                                                            management successfully implemented the\n                                                            FY 2009 recommendation.\nCompliance Audit of      IS-AR-08-017       9/11/2008       The Postal Service was effectively managing its\nthe Postal Service\xe2\x80\x99s                                        PKI services in compliance with established\nExternal Public Key                                         guidance as stated in their Certificate Policy and\nInfrastructure                                              Certification Practice Statements. However, we\nServices                                                    identified     instances of non-compliance between\n                                                            the Postal Service\xe2\x80\x99s PKI policies and its external\n                                                            PKI environment. Of these, management\n                                                            corrected two and developed resolution plans for\n                                                            the remaining       Management agreed with our\n                                                            recommendation and stated they would establish\n                                                            milestones to implement resolutions for the\n                                                            remaining non-compliant issues in the external PKI\n                                                            environment by December 31, 2008. During the\n                                                            FY 2009 audit, we verified that nine of the 10\n                                                            remaining instances of non-compliance were\n                                                            completed and that management was in the\n                                                            process of correcting the remaining issue. This\n                                                            project is closed.\nCompliance Audit of      IS-AR-08-001       10/5/2007        In general, the Postal Service\xe2\x80\x99s external PKI\nthe Postal Service\xe2\x80\x99s                                         environment complies with their Certificate Policy,\nExternal Public Key                                          Certification Practice Statements, and any\nInfrastructure                                               applicable Memorandums of Agreement.\nServices                                                     However, the Postal Service could improve their\n                                                             external PKI environment by mitigating the\n                                                             remaining instances of its non-compliance with\n                                                             Postal Service PKI policies and procedures in the\n                                                             external PKI environment. Management agreed\n                                                             with our recommendation and stated they would\n                                                             develop a risk mitigation plan by October 31,\n                                                             2007. We verified that management resolved the\n                                                             remaining FY 2007 instances of non-compliance\n                                                             during the FY 2008 audit. This project is closed.\n\n\n\n\n                                                        6\n\x0c      External Public Key Infrastructure                                                      IS-AR-10-013\n       Services \xe2\x80\x93 Fiscal Year 2010\n\n\n\n                            Report         Final Report\n   Report Title             Number             Date Report                         Results\nInformation for the       IS-WP-07-001 10/2/200    6       The Postal Service\xe2\x80\x99s PKI operations, as of\nFederal Bridge                                             September 1, 2006, conformed to the Certification\nCertification Authority                                    Practice Statements documents. This project is\n                                                           closed.\nCertificate Authority     IS-AR-06-015 9/1/2006            We performed a follow-up audit and reviewed\nPublic Key                                                 items identified in a March 2006 audit performed\nInfrastructure                                             by Klynveld Peat Marwick Goerdeler LLP. The\nCompliance                                                 Postal Service had corrected most of the issues\n                                                           identified in the report. However, management\n                                                           could make improvements by establishing and\n                                                           assigning the HSPD-12 Registration Authorities\n                                                           and Subscribers and completing the CA-PKI back-\n                                                           up environment. Management agreed with the\n                                                           recommendation and stated that the completion\n                                                           date for the PKI back-up site was September 1,\n                                                           2006. This project is closed.\n\n\n\n\n                                                       7\n\x0cExternal Public Key Infrastructure                                              IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\n                              APPENDIX B: DETAILED ANALYSIS\n\nPostal Service PKI Policies and PKI Environment\n\nThere were    instances where the operations of the Postal Service\xe2\x80\x99s external\nenvironment did not conform to the requirements of the Certificate Practice Statements.\nFor example:\n\n    \xef\x82\xa7   The Corporate Information Security Office roles and responsibilities\n        memorandum for the Homeland Security Presidential Directive 12 project did not\n        contain the PKI auditor's role listed in the Certificate Policy and Root,\n        Intermediate, and Subordinate Certification Practice Statements\xe2\x80\x99.\n\n    \xef\x82\xa7   PKI personnel\n                ensuring proper documentation as stated in the Root, Intermediate, and\n        Subordinate Certification Practice Statements.\n\n    \xef\x82\xa7   The Root and Intermediate servers\n                   therefore the                                                 as\n        stated in the Root and Intermediate Certification Practice Statements, was not\n        valid.\n\n    \xef\x82\xa7   Power and air conditioning back-up power capabilities were inaccurately stated in\n        the Certificate Policy and the Root, Intermediate, and Subordinate Certification\n        Practice Statements.\n\nAdditionally, we found      instances of documentation inconsistencies in the Certification\nPractice Statements which did not provide sufficient detail to support corresponding\nCertificate Policy requirements. For example, the Subordinate Certification Practice\nStatements was missing a paragraph regarding registration authorities which was\nincluded in the Certificate Policy. Further, statements were missing in the Root and\nIntermediate Certification Practice Statements concerning the Certificate Revocation\nList scheduling details as included in the Certificate Policy.\n\nManagement placed limited focus on reviewing PKI policies because the Postal Service\nis not actively issuing certificates in this environment. Operating the external PKI\nenvironment in compliance with policies and consistent documentation maintains cross-\ncertification and improves the understanding of policies.\n\nIn Table 1, we summarized the results of our review of the Postal Service\xe2\x80\x99s Certificate\nPolicy and Certification Practice Statements documents. All 4,261 items we reviewed\nwere compliant at the time we issued this report.\n\n\n\n\n                                             8\n\x0cExternal Public Key Infrastructure                                             IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\n                                     Table 1 \xe2\x80\x93 Status of Compliance\n\n             Status of Items Reviewed                  Items Reviewed   Percentage\n       Compliant with environment                           4,236          99.4%\n       Non-compliant items corrected                           25           0.6%\n       Non-compliant items outstanding                          0           0.0%\n       Total items reviewed                                 4,261         100.0%\n\n\n\n\n                                                   9\n\x0cExternal Public Key Infrastructure                           IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\n                         APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                        10\n\x0cExternal Public Key Infrastructure        IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\n\n\n                                     11\n\x0cExternal Public Key Infrastructure                                           IS-AR-10-013\n Services \xe2\x80\x93 Fiscal Year 2010\n\n\n\n\n           APPENDIX D: COMPLIANCE LETTER TO FEDERAL PUBLIC KEY\n                    INFRASTRUCTURE POLICY AUTHORITY\n\nThe auditor letter of compliance and background information required for the Federal\nPublic Key Infrastructure Policy Authority begins on the next page.\n\n\n\n\n                                          12\n\x0cSeptember 15, 2010           R                    eport Number: IS-AR-10-013\n\nROSS PHILO\nCHIEF INFORMATION OFFICER AND EXECUTIVE VICE PRESIDENT\n\nSUBJECT: External Public Key Infrastructure Services\n\nWe performed an audit to determine whether the U.S. Postal Service effectively\nmanaged its external Public Key Infrastructure (PKI) services in compliance with\nestablished guidance. This audit was performed to ensure that the external PKI services\ncontinue to operate at a level to remain certified with the U.S. Government\xe2\x80\x99s Federal\nBridge Certification Authority.\n\nAudit Methodology\n\nWe conducted this audit from February through September 2010 in accordance with\ngenerally accepted government auditing standards. As recommended by the Federal\nPublic Key Infrastructure Policy Authority Triennial Compliance Audit Requirements, we\nperformed a full and complete compliance audit of all mandatory criteria. Mandatory\ncriteria includes a review of all procedures and controls; previous compliance audit\nfindings for associated changes and corrective actions; and all changes to policies,\nprocedures, personnel, and system and technical aspects since the previous\ncompliance audit.\n\nDocuments and Criteria\n\nWe used the following Postal Service policy documentation as criteria during our audit:\n\n   \xef\x82\xa7   United States Postal Service Public Key Infrastructure (PKI) X.509 Certificate\n       Policy (CP), Version 1.68, dated March 8, 2010, last updated August 12, 2010.\n\n   \xef\x82\xa7   United States Postal Service Root Certification Authority (CA) Certification\n       Practice Statement (CPS), Version 1.20, dated March 8, 2010, last updated\n       August 12, 2010.\n\n   \xef\x82\xa7   United States Postal Service Intermediate Certification Authority (CA) Certification\n       Practice Statement (CPS), Version 1.20, dated March 8, 2010, last updated\n       August 12, 2010.\n\x0c   \xef\x82\xa7   United States Postal Service Subordinate Certification Authority (CA) Certification\n       Practice Statement (CPS), Version 1.20, dated March 8, 2010, last updated\n       August 12, 2010.\n\n   \xef\x82\xa7 Handbook     AS-805, Information Security, dated November 2009.\n\nEvaluation of Effective Management of Postal Service External PKI Environment\nin Compliance with Established Guidance\n\nAs of September 15, 2010, the Postal Service effectively managed its external PKI\nenvironment in compliance with established guidance. We reviewed          external PKI\ncomponents documented in the criteria documented above. Although we found\ninstances of non-compliance, which management corrected during our audit, we\nconsidered them insignificant to the overall external PKI environment.\n\nThe attachment to this letter contains the identities and qualifications of the U.S. Postal\nService Office of Inspector General (OIG) personnel who conducted this audit.\n\n\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachment\n\ncc: Deborah J. Judy\n    Charles L. McGann, Jr.\n\n\n\n\n                                             2\n\x0cBackground for Federal Public Key Infrastructure Policy Authority Auditor Letter\nof Compliance\n\nIdentity of the Auditors:\n\n      United States Postal Service\n      Office of Inspector General\n      1735 N. Lynn Street\n      Arlington, VA 22209-2020\n\n      Darrell E. Benjamin, Jr.\n      Frances E. Cain\n      Michael Blaszczak\n      Maria Gomez\n      David Horton\n      Ursula Sundre\n      Kimberly Jones\n      Ruth Smolinski\n\nCompetence of the Auditors:\n\n      Darrell Benjamin, Jr., CPA, CIA, 21 years of audit experience\n      Frances E. Cain, CISA, 18 years of audit experience\n      Michael Blaszczak, CISA, CIPP, 14 years of audit experience\n      Maria Gomez, CISA, CIA, 11 years of audit experience\n      David Horton, CISSP, CEH, 10 years of audit experience\n      Ursula Sundre, CISA, 10 years of audit experience\n      Kimberly Jones, 10 years of audit experience\n      Ruth Smolinski, CISA, 4 years of audit experience\n\nExperience of Auditors Auditing PKI Systems:\n\n      The OIG has been involved in the Postal Service\xe2\x80\x99s PKI effort since August 2005\n      and has performed several audits of the PKI environment.\n\nRelationship of the Auditor to the U.S. Postal Service:\n\n      The OIG was authorized by law in 1996. The inspector general, who is\n      independent of Postal Service management, is appointed by and reports directly\n      to the nine Presidentially appointed governors of the Postal Service. The primary\n      purpose of the OIG is to prevent, detect, and report fraud, waste and program\n      abuse and promote efficiency in the operation of the Postal Service.\n\n\n\n\n                                           3\n\x0c"